Evaluating user-defined conditions

Abigail abigail at abigail.be
Tue Jun 10 10:37:56 BST 2014


On Tue, Jun 10, 2014 at 09:26:17AM +0100, Andrew Beverley wrote:
> On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
> > >     # Sanitise
> > >     $_ = $code;
> > >     return unless /^[ \S]+$/;               # Only allow normal spaces
> > >     return if /[\[\]]+/;                    # No brackets should remain
> > >     return if /\\/;                         # No escapes please
> > >     s/"[^"]+"//g;                           # Remove quoted strings
> > >     m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars
> > 
> > 
> > So, you excluding having any alpha char (except 'eq') in the resulting
> > expression? Because that's what the last line does. Perhaps that's your
> > intention, because I've no idea what $value is going to be, other than
> > "it could be a string in quotes".
> 
> Yes, $value is either an integer or a string in quotes. The 2 lines
> previous to the last line should remove any string in quotes, therefore
> just leaving operators and integers?


So, your loop replaces [$var] with a string in quotes, only for s/"[^"]+"//g;
to remove it? I'm a bit confused what purpose that serves.


> > Now, if you do allow for alpha characters to be present, you have to make
> > sure things like "system qw xrm -rf foox" are filtered out. (As you can see,
> > the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr, s, m,
> > and y can take any delimiter).
> 
> I'm happy to be restrictive to the user, and only allow straightforward
> strings in double quotes. So anything else is removed or not allowed,
> and the strings in quotes are checked as above.


I don't see any check for strings in quotes -- they're removed. Do note
though that if a user inputs a string that starts with a ", and doesn't
use " elsewhere, the s/"[^"]+"//g; doesn't strip the [$var] replacements,
it will keep them as is, stripping the rest. And you'll be left with a
single " in the string -- which fails the last test.

> I would not be surprised if I've missed something though!


Considering that you want to be really restrictive, a parser is going to
be quite simple. Why not just write a parser instead of hoping you've
catched anything potentially bad? 


Abigail


More information about the london.pm mailing list